PT-2026-44426 · Casdoor · Casdoor
David Lie
+4
·
Published
2026-05-28
·
Updated
2026-07-07
·
CVE-2026-9097
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Casdoor versions prior to 2.362.1
Description
Casdoor fails to verify if a JSON Web Token (JWT) used for token exchange remains active. The
GetTokenExchangeToken() function in object/token oauth.go validates the JWT signature and parses its claims but does not query the Token table to check if the subject token has been revoked or invalidated. This absence of a revocation check prevents administrators from terminating active sessions or revoking compromised tokens.Recommendations
Update to a version later than 2.362.0.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Casdoor